Skip to main content

recently noticed that data collector 4.4.1 is still using the log4j-1.2.17.jar under multiple libraries. is here any plan on addressing this? As the installation of Apache Log4j 1.x is no longer supported and reached EOL in 2015.  Additionally, Log4j 1.x is affected by multiple vulnerabilities,

some of the libs locations

/streamsets-datacollector/api-lib/log4j-1.2.17.jar

/streamsets-datacollector/streamsets-libs/streamsets-datacollector-jdbc-lib/lib/log4j-1.2.17.jar

/streamsets-datacollector/streamsets-libs/streamsets-datacollector-jms-lib/lib/log4j-1.2.17.jar

/streamsets-datacollector/streamsets-libs/streamsets-datacollector-mysql-binlog-lib/lib/log4j-1.2.17.jar

/streamsets-datacollector/streamsets-libs/streamsets-datacollector-rabbitmq-lib/lib/log4j-1.2.17.jar

/streamsets-datacollector/streamsets-libs/streamsets-datacollector-couchbase_5-lib/lib/log4j-1.2.17.jar

 

This will be addressed in an upcoming release of StreamSets Data Collector. Stay tuned. 


Hello! Is there any update on the usage of log4j in data collector? We’ve deployed 5.0.0 collector and see log4j v1 is still in use (/opt/streamsets-datacollector/streamsets-libs/streamsets-datacollector-sql-server-bdc-lib/lib/log4j-1.2.17.jar).

Thank you!


Hi @l3ender,

Data Collector 5.0.0 doesn't use any Log4j 1.x libraries. What you’re seeing there is the SQL Server 2019 Big Data Cluster enterprise stage library that's not part of the core Data Collector offering. At this time, I don't have any updates on if or when that particular enterprise stage library will be updated to remove use of Log4j 1.x. 


Reply